b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n        U.S. Computer Emergency Readiness Team \n\n        Makes Progress in Securing Cyberspace, but \n\n                   Challenges Remain \n\n\n\n\n\nOIG-10-94                                         June 2010\n\x0c                                                             Office of Inspector General\n\n                                                             U.S. Department of Homeland Security\n                                                             Washington, DC 20528\n\n\n\n\n                                       June 7, 2010\n\n\n                                          Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audits, inspections, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the department.\n\nThis report addresses the U.S. Computer Emergency Readiness Team\xe2\x80\x99s (US-CERT)\nefforts to coordinate national cyber analyses and warnings against and response to attacks\nwithin the nation\xe2\x80\x99s critical infrastructure. It is based on direct observations and analyses\nof applicable documents. We obtained additional supporting documentation through\ninterviews with selected personnel located in the National Cyber Security Division, US-\nCERT Program Office, Carnegie Mellon University \xe2\x80\x93 Software Engineering Institute, and\nselected federal agencies.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We\ntrust this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                          Richard L. Skinner \n\n                                          Inspector General \n\n\x0cTable of Contents/Abbreviations \n\n\nExecutive Summary .............................................................................................................1\n\n\nBackground ..........................................................................................................................2 \n\n\nResults of Audit ...................................................................................................................3 \n\n\n     Actions Have Been Taken to Address Cybersecurity....................................................3 \n\n\n     Improvements Are Needed to Strengthen the Cybersecurity Program..........................5 \n\n     Recommendations........................................................................................................11             \n\n     Management Comments and OIG Analysis ...............................................................11 \n\n\n     Better Information Sharing and Communication Can Enhance Coordination\n\n     Efforts With the Public ................................................................................................12 \n\n     Recommendations........................................................................................................14             \n\n     Management Comments and OIG Analysis ................................................................15 \n\n\n     Improved Situational Awareness and Identification of Network Anomalies \n\n     Can Better Protect the Cyberspace ..............................................................................17 \n\n     Recommendation .........................................................................................................21            \n\n     Management Comments and OIG Analysis ................................................................21 \n\n\nAppendices\n     Appendix A:             Purpose, Scope, and Methodology .....................................................22 \n\n     Appendix B:             Management Comments to the Draft Report .....................................24 \n\n     Appendix C:             Major Contributors to this Report ......................................................28 \n\n     Appendix D:             Report Distribution.............................................................................29 \n\n\x0cTable of Contents/Abbreviations \n\n\nAbbreviations\n  CIO               Chief Information Officer\n  CISO              Chief Information Security Officer\n  DHS               Department of Homeland Security\n  FISMA             Federal Information Security Management Act\n  GAO               Government Accountability Office\n  GFIRST            Government Forum of Incident Response\n                    Security Team\n  NCCIC             National Cybersecurity and Communications\n                    Integration Center\n  NCSD              National Cyber Security Division\n  NIPP              National Infrastructure Protection Plan\n  NPPD              National Protection and Programs Directorate\n  OMB               Office of Management and Budget\n  SOP               Standard Operating Procedure\n  US-CERT           U.S. Computer Emergency Readiness Team\n\x0cOIG\n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                     We reviewed the U.S. Computer Emergency Readiness Team\xe2\x80\x99s\n                     (US-CERT) efforts in coordinating national cybersecurity analyses\n                     and warning against and response to attacks against the nation\xe2\x80\x99s\n                     cyberspace. US-CERT leads a public-private partnership to\n                     protect and defend the nation\xe2\x80\x99s cyber infrastructure. It coordinates\n                     and facilitates information sharing among federal agencies, state\n                     and local governments, private sectors, academia, international\n                     partners, and the public on cybersecurity threats and attacks.\n\n                     US-CERT has made progress in implementing a cybersecurity\n                     program to assist federal agencies in protecting their information\n                     technology systems against cyber threats. Specifically, it has\n                     facilitated cybersecurity information sharing with the public and\n                     private sectors through various working groups, issuing notices,\n                     bulletins, and reports, and web postings. Further, the Office of\n                     Cybersecurity and Communications has established a unified\n                     operations center that includes US-CERT to address threats and\n                     incidents affecting the nation\xe2\x80\x99s critical information technology and\n                     cyber infrastructure. To increase the skills and expertise of its\n                     staff, US-CERT has developed a technical mentoring program to\n                     offer cybersecurity and specialized training.\n\n                     Still, US-CERT can further improve its analysis and warning\n                     program. For example, US-CERT must improve its management\n                     oversight by developing a strategic plan, establishing performance\n                     measures, and approving policies and procedures to ensure that its\n                     analysis and warning program is effective. It must also ensure that\n                     it has sufficient staff to perform its mission. Additionally, it\n                     should improve its information sharing and communications\n                     coordination efforts with the public. Finally, US-CERT needs to\n                     improve its situational awareness and identification capability by\n                     monitoring the federal cyber infrastructure for network anomalies\n                     in real-time.\n\n                     We are making seven recommendations to the Under Secretary of\n                     the National Protection and Programs Directorate (NPPD). NPPD\n                     concurred with six of the seven recommendations and has\n\n     U.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                        Challenges Remain \n\n\n                                            Page 1\n\x0c                    already begun taken actions to implement them. NPPD\xe2\x80\x99s response\n                    is included, in its entirety, as Appendix B.\n\n\nBackground\n                    The National Strategy to Secure Cyberspace provides the\n                    framework and guidance for national cybersecurity efforts,\n                    including responding to threats and incidents, reducing\n                    vulnerabilities, promoting outreach and awareness, training, and\n                    establishing partnerships through increased coordination among\n                    state and local governments, academia, international organizations,\n                    and the public and private sectors. Additionally, DHS is\n                    responsible for developing the national cyberspace security\n                    response system, which includes providing crisis management\n                    support and coordinating with other agencies to provide warning\n                    information.\n\n                    The National Cyber Security Division (NCSD) created US-CERT\n                    in 2003 to protect the federal government network infrastructure\n                    by coordinating efforts to defend against and respond to cyber\n                    attacks. Specifically, US-CERT is responsible for analyzing and\n                    reducing cyber threats and vulnerabilities, disseminating cyber\n                    threat warning information, and coordinating cyber incident\n                    response activities.\n\n                    Additionally, US-CERT collaborates with federal agencies, the\n                    private sector, the research community, academia, state, local, and\n                    tribal governments, and international partners. Through\n                    coordination with various national security incident response\n                    centers in responding to potential security events and threats on\n                    both classified and unclassified networks, US-CERT disseminates\n                    cybersecurity information to the public.\n\n                    US-CERT is comprised of the following four sections:\n\n                           Analysis \xe2\x80\x93 provides analytical insight into cyber activity;\n                           conducts technical analysis of data; and characterizes the\n                           threat, vulnerability, and incident.\n\n                           Business, Performance, and Planning \xe2\x80\x93 improves mission\n                           through integrated planning; provides oversight in\n                           management of the budget and program performance; and\n                           manages staffing efforts.\n\n\n    U.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                       Challenges Remain \n\n\n                                           Page 2\n\x0c                            Detection \xe2\x80\x93 develops actionable intelligence from multiple\n                            sources; tracks and reports metrics from the sensor suite; and\n                            coordinates with Network Security Deployment and Federal\n                            Network Security.\n\n                            Mission Management \xe2\x80\x93 maintains operations center;\n                            produces and reports threat information; and collaborates and\n                            coordinates with cybersecurity stakeholders.\n\n                     NCSD developed Einstein to provide US-CERT with a situational\n                     awareness snapshot of the health of the federal government\xe2\x80\x99s\n                     cyberspace. US-CERT manages Einstein and maintains its public\n                     website and secure portal to fulfill the mission. Technologies, such\n                     as Einstein, enable US-CERT to detect unusual and previously\n                     identified network traffic patterns and trends that signal\n                     unauthorized, threatening, or risky networks activities, and to\n                     categorize anomalous activity that could pose a risk to US-CERT\n                     constituents. US-CERT uses other systems in addition to Einstein.\n                     Through fusion of information received from all of these sources,\n                     US-CERT is able to prioritize and escalate cyber activity\n                     appropriately, coordinate incident response activities, and share\n                     alerts, warnings, and mitigation strategies around threats and\n                     vulnerabilities.\n\n\nResults of Audit\n     Actions Have Been Taken to Address Cybersecurity\n                     US-CERT has made progress in developing and implementing the\n                     capabilities to detect and mitigate cyber incidents across federal\n                     agencies\xe2\x80\x99 networks. Similarly, US-CERT leads and coordinates\n                     efforts to improve the nation\xe2\x80\x99s cybersecurity posture, promote\n                     cyber information sharing, and mitigate cyber risks.\n\n                     For example, the Office of Cybersecurity and Communications\n                     developed the National Cybersecurity and Communications\n                     Integration Center (NCCIC), which is a unified operations center\n                     to address security threats and incidents that may affect the\n\n\n\n\n     U.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                        Challenges Remain \n\n\n                                            Page 3\n\x0c                         nation\xe2\x80\x99s critical information systems and network infrastructure. 1\n                         Specifically, the NCCIC helps DHS to fulfill its mission to secure\n                         cyberspace by supporting the decision making process for the\n                         federal government, and enabling incident response through shared\n                         situational awareness. As a result, the NCCIC serves as the\n                         "central repository" for the cyber protection efforts of the federal\n                         government and its private sector partners. Figure 1 shows the\n                         NCCIC\xe2\x80\x99s Watch Floor layout.\n\n\n\n\n                                                         2\t\n                         Figure 1. NCCIC Watch Floor.                              Source: US-CERT\n\n                         Other actions designed to improve the expertise of US-CERT staff\n                         and information sharing include the following:\n\n                                  Conducting in-person and online training to increase\n                                  individual\xe2\x80\x99s knowledge, skills, and abilities regarding\n                                  specific information topics that are relevant to US-CERT\n1\n  The NCCIC consists of the following organizations: National Communications System, National\nCoordinating Center; NCSD, US-CERT; NCSD, Industrial Control System Cyber Emergency Response\nTeam; Office of Intelligence and Analysis; National Cybersecurity Center; Department and Agency,\nSecurity Operations Centers; Law Enforcement and Intelligence Community; and the private sector.\n2\n  The NCCIC is located in Arlington, VA and is equipped with wall-mounted screens to display maps and\nthreat data. The NCCIC has a seating capacity of 60 personnel.\n\n\n\n         U.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                            Challenges Remain \n\n\n                                                Page 4\n\x0c                                  operations. Training relates to packet capture analysis and\n                                  signature development; malware; and web browser\n                                  security. 3\n\n                                  Participating in public and private sector working groups to\n                                  promote information sharing and collaboration. The\n                                  working groups assist in the coordination and mitigation of\n                                  computer and cyber security incidents as well as the\n                                  development of best security practices.\n\n                                  Distributing US-CERT products regarding specific\n                                  vulnerabilities and situational awareness, as well as\n                                  quarterly trend and analysis reports, to public and private\n                                  sectors.\n\n                          While progress has been made, US-CERT still faces numerous\n                          challenges in reducing cyber security risks and protecting the\n                          nation\xe2\x80\x99s critical infrastructure. US-CERT must continue to\n                          improve its ability to analyze and reduce cyber threats and\n                          vulnerabilities and to disseminate information through a cohesive\n                          effort between public and private sectors.\n\n\n        Improvements Are Needed to Strengthen the Cybersecurity\n        Program\n                          US-CERT is hindered in its ability to provide an effective analysis\n                          and warning program for the federal government in a number of\n                          ways. Specifically, US-CERT does not have the appropriate\n                          enforcement authority to help mitigate security incidents.\n                          Additionally, it is not sufficiently staffed to perform its mission.\n                          Further, US-CERT has not finalized performance measures and\n                          policies and procedures related to cybersecurity efforts.\n\n                          Enforcement Authority Could Help Mitigate Security\n                          Incidents\n\n                          US-CERT does not have the appropriate enforcement authority to\n                          ensure that agencies comply with mitigation guidance concerning\n                          threats and vulnerabilities. It needs the authority to enforce its\n\n3\n  Packet capture involves reviewing the content of the data stream in the network traffic. Signature\ndevelopment consists of creating a mathematical algorithm to identify information in a message. Malware\nis malicious codes (e.g., viruses and worms) used to disrupt service.\n\n\n\n         U.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                            Challenges Remain \n\n\n                                                 Page 5\n\x0c                           recommendations so that federal agencies\xe2\x80\x99 systems and networks\n                           are protected from potential cyber threats. Without this authority,\n                           US-CERT is limited in its ability to mitigate effectively ever\n                           evolving security threats and vulnerabilities.\n\n                           According to The National Strategy to Secure Cyberspace, DHS is\n                           required to establish a public-private partnership to respond to and\n                           reduce the potential damage from cyber incidents. Additionally,\n                           the National Infrastructure Protection Plan (NIPP) stipulates that\n                           US-CERT, a partnership between DHS and the public and private\n                           sectors, is tasked to secure the nation\xe2\x80\x99s critical infrastructure and\n                           coordinate the defense against and response to cyber attacks across\n                           the nation. Further, the NIPP requires agencies to cooperate with\n                           DHS in implementing protection efforts.\n\n                           However, US-CERT was not given the authority to compel\n                           agencies to implement its recommendations to ensure that system\n                           vulnerabilities and incidents are remediated timely. US-CERT\n                           management officials stated that the proposed Federal Information\n                           Security Management Act (FISMA) 2008 legislation would have\n                           given it some leverage to implement incident response and\n                           cybersecurity recommendations. 4 For example, the proposed\n                           legislation would have required agencies to address incidents that\n                           impair their security. Further, the agencies would have had to\n                           collaborate with others if necessary to address the incidents.\n                           Additionally, agencies would be required to respond to incidents\n                           no later than 24 hours after discovery or provide notice to\n                           US-CERT as to why no action was taken. Finally, agencies would\n                           have had to ensure that information security vulnerabilities were\n                           mitigated timely. Since the proposed legislation was not approved,\n                           US-CERT remains without enforcement authority.\n\n                           US-CERT\xe2\x80\x99s notices contain recommendations that address the\n                           threats and vulnerabilities in federal agencies\xe2\x80\x99 infrastructures.\n                           Additionally, US-CERT products help to update federal\n                           information security policy and guidance. Without the\n                           enforcement authority to implement recommendations, US-CERT\n                           continues to be hindered in coordinating the protection of federal\n                           cyberspace.\n\n\n\n\n4\n    FISMA 2008 (Proposed Legislation), S. 3474, Calendar Number 1105, 110th Congress, Second Session.\n\n\n\n           U.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                              Challenges Remain \n\n\n                                                  Page 6\n\x0c                Additional Staffing Could Help Meet Mission\n\n                US-CERT does not have sufficient staff to perform its 24x7\n                operations as well as to analyze security information timely.\n                US-CERT is charged with providing response support and defense\n                against cyber attacks for the Federal Civil Executive Branch and\n                information sharing and collaboration with state and local\n                government, industry, and international partners. Without\n                sufficient staffing, US-CERT cannot completely fulfill its\n                responsibilities to analyze data and reports to reduce cyber threats\n                and vulnerabilities as well as support the public and private\n                sectors.\n\n                Although US-CERT\xe2\x80\x99s authorized positions were increased from 38\n                in 2008 to 98 in 2010, as of January 2010, only 45 positions are\n                filled. In October 2009, the DHS Secretary announced that\n                cybersecurity is an urgent priority for the nation and the\n                department would hire additional cyber analysts, developers, and\n                engineers to ensure that crucial computer networks are not\n                vulnerable to possible cyber attacks. Currently, US-CERT\n                augments its staffing shortages by contractor support.\n\n                Leadership turnover has hindered US-CERT\xe2\x80\x99s ability to hire and\n                retain qualified staff. In the past 5 years, US-CERT has had four\n                directors, and the director position has been unfilled until as\n                recently as of April 2010. Further, due to the department\xe2\x80\x99s\n                rigorous suitability clearance process, it takes US-CERT a\n                significant amount of time to fill its critical positions. According\n                to a former director, it takes 9 to 12 months for new applicants to\n                begin working at US-CERT even if they already have a top secret\n                clearance. As a result, staffing shortages force current analysts to\n                perform additional duties, instead of fulfilling the technical analyst\n                role for which they were hired.\n\n                Strategic Plan is Needed\n\n                US-CERT has not developed a strategic plan to formalize goals,\n                objectives, and milestones. Specifically, US-CERT has not\n                identified or prioritized key activities for the division to monitor its\n                progress in accomplishing its mission and goals. Without a\n                strategic plan, US-CERT may have difficulty in achieving its goal\n                to provide response support and defense against potential cyber\n                attacks for the federal government.\n\n\n\nU.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                   Challenges Remain \n\n\n                                       Page 7\n\x0c                The Comprehensive National Cybersecurity Initiative requires that\n                the future cybersecurity environment be strengthened by defining\n                and developing strategies to deter hostile and malicious activity in\n                cyberspace. Additionally, the Government Performance Results\n                Act requires agencies to develop strategic plans for program\n                activities.\n\n                According to program officials, US-CERT is developing a\n                strategic plan. This strategic plan should describe how US-CERT\n                will perform its critical role by identifying and aligning goals,\n                objectives, and milestones through a variety of means and\n                strategies. Also, the strategic plan should contain performance\n                measures related to specific programs, initiatives, products, and\n                outcomes.\n\n                As the sophistication and effectiveness of cyber attacks have been\n                steadily advancing in recent years, a strategic plan can help\n                US-CERT to ensure that critical milestones and goals are\n                accomplished in a timely manner. Further, a strategic plan can\n                improve program operations by promoting the appropriate\n                application of information resources.\n\n                Performance Measures are Needed to Assess the Effectiveness\n                of US-CERT\n\n                US-CERT has not formalized performance measures to direct and\n                monitor its efforts to accomplish its mission and goals. Without\n                sufficient outcome measures, US-CERT cannot effectively assess\n                its program activity against its intended results.\n\n                Performance measures indicate whether a program is meeting its\n                goals and achieving expected results. Further, performance\n                measures address the direct products and services delivered by a\n                program (outputs) and the results of those products and services\n                (outcomes). Outcomes are important as they often describe the\n                intended results or consequences that will occur from carrying out\n                a program or activity.\n\n                The NIPP requires that a performance measure based system be\n                used to provide feedback on efforts to attain the goals and\n                supporting objectives of the programs implemented. Measures\n                provide a basis for establishing accountability, documenting actual\n                performance, promoting effective management, and providing a\n                feedback mechanism to decision makers. Additionally,\n\n\nU.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                   Challenges Remain \n\n\n                                       Page 8\n\x0c                performance measures offer a quantitative assessment to affirm\n                that specific objectives are being met and gaps are identified in the\n                national effort or individual agencies\xe2\x80\x99 efforts.\n\n                During our audit, US-CERT was in the process of developing\n                performance measures. To date, US-CERT has provided the\n                following performance measures to monitor its cybersecurity\n                efforts for two of its four sections:\n\n                           Percent of funds obligated.\n\n                           Staffing level (filled or pending versus available).\n\n                           The percent of reduction in false positive rates in the\n                           Einstein.\n\n                           US-CERT operation\xe2\x80\x99s average time from the point a\n                           logged incident is assigned a severity level in the system\n                           to the point where a product to mitigate that incident is\n                           delivered.\n\n                           Percent of unique high alert level events detected by the\n                           Einstein validated as legitimate incidents.\n\n                           Creation of monthly metrics reports for each Einstein 2\n                           agency.\n\n                After fieldwork, US-CERT officials informed us that they are\n                currently revising the performance measures they developed to\n                align with the goals, objectives, and key outcomes outlined in the\n                strategic plan. They are currently not tracking the performance\n                measures listed above.\n\n                Without outcome-based performance measures, US-CERT cannot\n                track its or other public and private sectors\xe2\x80\x99 progress in managing\n                cybersecurity risks and threats efficiently and effectively.\n                Additionally, the performance measures and strategic plan will aid\n                US-CERT in evaluating its progress in building an effective\n                organization capable of mitigating long-term cyber threats and\n                vulnerabilities.\n\n\n\n\nU.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                   Challenges Remain \n\n\n                                       Page 9\n\x0c                Policies and Procedures Have Not Been Approved\n\n                US-CERT has not approved its policies and procedures to ensure\n                that management and operational controls are implemented to\n                defend against, analyze, and respond to cyber attacks. Without the\n                approved policies and procedures, US-CERT may be hindered in\n                its ability to respond to security incidents effectively and promote\n                continuity of operations and consistency.\n\n                Leadership and staff turnover and a continually evolving mission\n                have hindered US-CERT\xe2\x80\x99s past efforts to update its standard\n                operating procedures. Under the prior director, US-CERT\n                outsourced to contractors off-site the function to maintain and\n                update procedures. The process of updating the procedures\n                discontinued once the director departed. Further, US-CERT\n                officials determined that the outsourced procedures did not fully\n                address the mission or the day-to-day activities that cyber analysts\n                encounter. According to the officials, outsourcing off-site was not\n                the best method to update these policies and procedures since\n                US-CERT personnel have a better understanding of its mission.\n                After internal reassessment, US-CERT officials decided to use\n                contractor support on-site to develop more concise and direct\n                SOPs.\n\n                Currently, US-CERT is in the process of developing approximately\n                80-90 standard operating procedures (SOP) for its four sections\n                pertaining to various areas of activity, such as, network and\n                targeted analyses, malware submission handling, and signature\n                template development. The goal is to have a structure that maps to\n                functions, roles, the organization, and the mission. US-CERT is\n                attempting to make the procedures understandable and practical\n                with contents based on analysts\xe2\x80\x99 experiences.\n\n                According to the Homeland Security Act of 2002, the head of each\n                agency is responsible for implementing and overseeing an\n                information security program as well as developing and\n                maintaining information security policies, procedures, and control\n                techniques to address all applicable requirements. Additionally,\n                Office of Management and Budget (OMB) Circular\n                Appendix -123, Management\xe2\x80\x99s Responsibility for Internal Controls\n                defines policies, and procedures as tools to help program managers\n                achieve results and safeguard the integrity of their programs.\n\n\n\n\nU.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                   Challenges Remain \n\n\n                                       Page 10\n\x0c        Recommendations\n                We recommend that the Under Secretary of NPPD require the\n                Director of NCSD to:\n\n                Recommendation #1: Establish specific outcome-based\n                performance measures and a strategic plan to ensure that\n                US-CERT can achieve its mission, objectives, and milestones.\n\n                Recommendation #2: Approve policies and procedures to ensure\n                that US-CERT can effectively detect, process, and mitigate\n                incidents as well as perform its roles and responsibilities in a\n                consistent manner.\n\n        Management Comments and OIG Analysis\n                NPPD concurred with recommendation 1. In April 2010,\n                US-CERT released planning guidance to detail how US-CERT will\n                conduct mission and resource planning; establish planning\n                priorities; identify interrelationships between planning efforts;\n                assign responsibilities for planning; and identify general timelines\n                for its planning effort. US-CERT is developing a strategic plan\n                that will map outcome-based objectives to the mission goals and\n                identify performance measures that are measurable, attainable,\n                realistic, and timely. Through these performance measures,\n                US-CERT will continually evaluate its organizational performance\n                to determine whether projects and initiatives are achieving desired\n                results and to select improvement initiatives with the greatest\n                positive organizational impact. US-CERT plans to complete the\n                strategic plan and identify performance measures by July 15, 2010.\n\n                We agree that the steps that NPPD has taken, and plans to take\n                satisfy this recommendation. This recommendation will remain\n                open until NPPD provides documentation to support that all\n                planned corrective actions are completed.\n\n                NPPD concurred with recommendation 2, insofar as there is a need\n                for US-CERT to approve and review SOPs regularly to ensure that\n                US-CERT can perform the roles and responsibilities in a consistent\n                manner, including the detection, analysis and mitigation of\n                incidents. Specific operational procedures, internal functions, and\n                processes are defined within supporting SOPs that are approved by\n                US-CERT leadership. Due to its operational nature, the dynamic\n\n\n\nU.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                   Challenges Remain \n\n\n                                       Page 11\n\x0c                threat, and evolving cyber community (including within DHS),\n                US-CERT officials stated that it cannot accurately determine the\n                number of SOPs that may be required, as new SOPs are often\n                identified on a regular basis and SOPs are sometimes combined to\n                improve coordination efficiency within US-CERT. Once\n                approved, an SOP will be reviewed at least bi-annually.\n\n                We agree that the steps that NPPD has taken, and plans to take\n                satisfy this recommendation. This recommendation will remain\n                open until NPPD provides documentation to support that all\n                planned corrective actions are completed.\n\n\nBetter Information Sharing and Communication Can Enhance\nCoordination Efforts With the Public\n                US-CERT needs to improve its information sharing and\n                communication efforts with federal agencies to ensure that threats\n                and vulnerabilities are mitigated timely. Specifically, officials\n                from other federal agencies expressed concerns that US-CERT was\n                unable to share near real-time data and classified and detailed\n                information to address security incidents.\n\n                We interviewed officials from eight federal agencies to obtain\n                feedback on Einstein and to determine whether US-CERT shared\n                sufficient information and communicated effectively. Overall,\n                these agency officials indicated that Einstein is an effective tool\n                but expressed concerns regarding the effectiveness of US-CERT\xe2\x80\x99s\n                information sharing and communication.\n\n                Officials from six agencies expressed concerns regarding\n                US-CERT not sharing Einstein data and analysis results.\n                According to some of the federal agency officials we interviewed,\n                US-CERT agreed that they would have access to the Einstein flow\n                data but subsequently did not provide the information. This data\n                could assist agencies in performing analyses with their locally\n                collected data to identify potential threats and vulnerabilities.\n                Also, agency officials stated that it would be helpful for US-CERT\n                to list which agencies are being attacked and provide common\n                trends to other agencies to determine whether the incident is\n                isolated or systemic.\n\n\n\n\nU.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                   Challenges Remain \n\n\n                                       Page 12\n\x0c                Further, agencies indicated that US-CERT has not provided\n                sufficient training on the Einstein program. Some agencies\n                indicated that they received compact disk, portable document\n                format brochures, and handbooks about the Einstein program,\n                while other agencies received nothing. Agencies indicated that\n                they would like to receive additional Einstein training from\n                US-CERT.\n\n                US-CERT officials acknowledged that there are communications\n                issues regarding sharing classified and detailed information with\n                other agencies. For example, US-CERT collects and posts\n                information from several systems and sources to different portals,\n                all of which have different classification levels. As a result,\n                US-CERT officials believe that communications needs could be\n                best addressed by developing a consolidated information sharing\n                portal. The consolidated portal could provide a multiple\n                classification platform and serve as a central repository to meet the\n                needs of the stakeholders.\n\n                A challenge US-CERT faces is that many intelligence agencies\n                communicate classified information on Top Secret/Sensitive\n                Compartmented Information networks. Since not all agencies have\n                access to classified networks, US-CERT is limited in what it can\n                convey. Some agencies do not have secure facilities, equipment,\n                and cleared personnel to send or receive classified information.\n\n                Additionally, US-CERT has to deal with the various network\n                architectures of the different agencies. Since US-CERT does not\n                have access to each agency\xe2\x80\x99s architecture, it is imperative to have\n                the agency Chief Information Officer (CIO) and Chief Information\n                Security Officer (CISO) involved in addressing cyber activities.\n                Establishing direct, regular communication with agency\n                CIOs/CISOs or key security assurance personnel ensures that\n                US-CERT\xe2\x80\x99s cybersecurity efforts are implemented. For example,\n                US-CERT and the CIO/CISO can determine what should be\n                implemented to improve the agency\xe2\x80\x99s situational awareness.\n                Further, they can address network and cybersecurity challenges\n                such as fragmented infrastructures, legacy systems, and limited\n                budgets.\n\n                Currently, US-CERT uses working groups and portals to share\n                information with the public and private sectors. For example,\n                US-CERT established the Joint Agency Cyber Knowledge\n                Exchange and Government Forum of Incident Response and\n\n\nU.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                   Challenges Remain \n\n\n                                       Page 13\n\x0c                          Security Teams (GFIRST) to facilitate collaboration on detecting\n                          and mitigating threats to the \xe2\x80\x9c.gov\xe2\x80\x9d domain and to encourage\n                          proactive and preventative security practices. The Joint Agency\n                          Cyber Knowledge Exchange meetings are held at a classified level\n                          to discuss threat-related tactics, techniques, and protocol.\n                          Additionally, US-CERT disseminates various reports and notices\n                          through the GFIRST and US-CERT portals. 5 These products\n                          contain a summary of the incident, mitigation strategies, and best\n                          practices. The products are disseminated to stakeholders on an\n                          as-needed, daily, monthly, or quarterly basis.\n\n                          It is essential that US-CERT and the public and private sectors\n                          share cybersecurity information to ensure that appropriate steps\n                          can be taken to mitigate the potential effect of a cyber incident.\n                          US-CERT cannot defend against and respond consistently and\n                          effectively to cyberactivity without other agencies\xe2\x80\x99 involvement.\n                          By sharing potential security threats collected through its data\n                          sources, US-CERT can provide agencies with detailed information\n                          regarding attacks to their networks.\n\n                 Recommendations\n                          We recommend that the Under Secretary of NPPD require the\n                          Director of NCSD to:\n\n                          Recommendation #3: Improve communications with federal\n                          agency CIOs and CISOs to address their concerns, to identify areas\n                          of improvement about the program, and to enhance US-CERT\xe2\x80\x99s\n                          ability to combat cybersecurity challenges.\n\n                          Recommendation #4: Establish a consolidated, multiple\n                          classification level portal that can be accessed by the federal\n                          partners that includes real-time incident response related\n                          information and reports.\n\n                          Recommendation #5: Develop a process to distribute and share\n                          Einstein trends, anomalies, and common/reoccurring attacks with\n                          other federal agencies.\n\n\n\n5\n Products US-CERT disseminates include: Situational Awareness Reports, Critical Infrastructure\nInformation Notices, Federal Information Notices, Early Warning Indicator Notices, and Malware Initial\nFindings Reports.\n\n\n\n         U.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                            Challenges Remain \n\n\n                                                Page 14\n\x0c                Recommendation #6: Provide training to federal agencies on\n                using available features of Einstein to foster better cooperation in\n                analyzing and mitigating security incidents.\n\n        Management Comments and OIG Analysis\n                NPPD concurs with recommendation 3. US-CERT recognizes the\n                need for stronger communication with departments and agencies.\n                Moreover, US-CERT must maintain a technical interchange with\n                agency security operation centers and relationships with\n                departments and agencies to share cybersecurity posture\n                information regarding their agency and how they can enhance it.\n\n                US-CERT offers multiple products, services, and forums to\n                support agency engagement. Recently, US-CERT has been\n                providing contextual classified and unclassified briefings to agency\n                CIO offices and their staff on the cyber threat. US-CERT is also\n                evaluating an agency-specific product that would help each agency\n                understand the Einstein 2 activity identified in context of the\n                larger, consolidated dataset of on-going attacks and threats.\n                US-CERT is planning to distribute this agency-specific product by\n                the end of Fiscal Year (FY) 2010. Additionally, US-CERT is\n                developing a more comprehensive information sharing and\n                collaboration environment as part of its Einstein program to\n                support continuous communications on vulnerabilities, indicators,\n                and mitigation with initial deployment planned for FY 2012. As\n                US-CERT\xe2\x80\x99s goal is to hire additional staff in FY 2011 and FY\n                2012, US-CERT plans to establish better outreach strategies, such\n                as a customer advocacy program wherein each agency would have\n                a specific contact person at US-CERT with whom to interact. This\n                will enable US-CERT to maintain a more proactive relationship\n                with each agency. US-CERT plans to draft the Outreach Strategy\n                by the second quarter of FY 2011.\n\n                We agree that the steps that NPPD has taken, and plans to take\n                satisfy this recommendation. This recommendation will remain\n                open until NPPD provides documentation to support that all\n                planned corrective actions are completed.\n\n                NPPD concurs with recommendation 4 and agrees with the need to\n                share information and collaborate with federal partners across\n                multiple levels of classification. However, US-CERT currently\n                generates very limited classified data to be shared with federal\n                agencies. This limits the efficiencies that would be realized by\n\n\nU.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                   Challenges Remain \n\n\n                                       Page 15\n\x0c                creating a multiple classification level portal. As US-CERT\xe2\x80\x99s\n                capabilities continue to grow, it is anticipated that increasing\n                amounts of classified data will be produced. Prior to implementing\n                a multiple classification level portal, US-CERT will assess the\n                feasibility of various portal models and create one at the\n                appropriate level of classification.\n\n                In the meantime, US-CERT is developing a strategy for an\n                information sharing environment that can be employed at all levels\n                of classification. US-CERT is developing a more robust\n                information sharing and collaboration environment across its\n                private and public sector constituents with the initial deployment\n                planned for FY 2012. Additionally, US-CERT will develop a\n                more effective information sharing and collaboration presence on\n                the classified networks.\n\n                We agree that the steps that NPPD has taken, and plans to take\n                satisfy this recommendation. This recommendation will remain\n                open until NPPD provides documentation to support that all\n                planned corrective actions are completed.\n\n                NPPD concurs with recommendation 5. US-CERT is currently\n                evaluating an agency-specific product that would help each agency\n                understand the activity that Einstein detects for that agency against\n                aggregated constituent data. US-CERT is prototyping the report\n                and plans to provide fully processed products to agencies by the\n                end of FY 2010. As part of the Einstein 2 effort, US-CERT is also\n                developing an information sharing portal to enable each agency to\n                have a direct view of its serialized Einstein data and to be able to\n                compare that to the broader federal community.\n\n                We agree that the steps that NPPD has taken, and plans to take\n                satisfy this recommendation. This recommendation will remain\n                open until NPPD provides documentation to support that all\n                planned corrective actions are completed.\n\n                NPPD concurs with recommendation 6. Currently, federal\n                agencies only have access to netflow data within Einstein. The\n                NCSD\xe2\x80\x99s Network Security Deployment Branch is responsible for\n                Einstein deployment and discusses netflow data access with the\n                federal agency during system installation. The Network Security\n                Deployment Branch will ensure that a discussion and instructions\n                on how to access flow data is included as a formal agenda item\n                during each Einstein deployment. Additionally, US-CERT will be\n\n\nU.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                   Challenges Remain \n\n\n                                       Page 16\n\x0c                evaluating netflow and other Einstein training requirements for\n                federal agencies and will provide periodic training in FY 2011.\n\n                We agree that the steps that NPPD has taken, and plans to take\n                satisfy this recommendation. This recommendation will remain\n                open until NPPD provides documentation to support that all\n                planned corrective actions are completed.\n\n\nImproved Situational Awareness and Identification of Network\nAnomalies Can Better Protect Federal Cyberspace\n                US-CERT is unable to monitor federal cyberspace in real time.\n                The tools US-CERT uses do not allow real-time analyses of\n                network traffic. As a result, US-CERT will continue to be\n                challenged in protecting the federal cyberspace from\n                security-related threats.\n\n                Currently, US-CERT maintains near real-time situational\n                awareness as it performs information aggregation activities.\n                US-CERT collects data real-time but it must perform analysis on\n                the data in near real-time. Cyber analysts receive information from\n                a variety of sources and other US-CERT activities to identify\n                potential incidents and to assess their possible scope and impact on\n                the nation\xe2\x80\x99s cyber infrastructure (see Figure 2).\n\n\n\n\nU.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                   Challenges Remain \n\n\n                                       Page 17\n\x0c                          Figure 2. US-CERT\xe2\x80\x99s Information Workflow.              Source: US-CERT\n\n                          Einstein is being deployed in three different versions, whereby,\n                          each builds on the capabilities of the previous version:\n\n                                        Einstein 1 (E1) collects and relies on net flow analysis\n                                        capability and uses net flow collectors. Net flow data is\n                                        queried for analysis.\n\n                                        Einstein 2 (E2) is an intrusion detection system, but is\n                                        still passive, performing analysis while traffic is\n                                        continuous. 6 E2 looks for anomalous activity from net\n                                        flow information based on every session between two\n                                        computers on the internet. E2 is more beneficial for\n                                        detecting and mitigating cyber incidents because of its\n                                        ability to analyze packet data. Additionally, E2\n                                        performs full session packet analysis.\n\n\n\n6\n Intrusion detection is the process of monitoring the events occurring in a computer systems or network\nand analyzing them for signs of possible incidents that violate or imminently threaten to violate of\ncomputer security policies, acceptable use policies, or standard security practices.\n\n\n\n         U.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                            Challenges Remain \n\n\n                                                 Page 18\n\x0c                                       Einstein 3 (E3) draws on commercial technology and\n                                       specialized government technology to conduct\n                                       real-time full packet inspection and threat-based\n                                       decision making on network traffic entering or leaving\n                                       the executive branch networks. 7 This system also\n                                       deploys an intrusion prevention feature. 8\n\n                          Additionally, US-CERT employs technology, systems, and tools to\n                          fulfill its mission requirements to protect and defend the nation\xe2\x80\x99s\n                          infrastructure against potential threats from cyberspace, and\n                          respond to security incidents. Currently, US-CERT uses the\n                          following list of tools to detect and mitigate cybersecurity\n                          incidents: Remedy, SiLK, Sharepoint, Wire Shark, Jabber Server,\n                          Deep Sight, and Sourcefire.\n\n                          With Einstein, US-CERT can gather more network traffic\n                          information and identify cyber activity patterns. However,\n                          US-CERT cannot capture all network traffic because Einstein has\n                          not been deployed to all federal agencies. Initially, the deployment\n                          of E1 to federal agencies was entirely voluntary. In September\n                          2008, OMB made Einstein part of the Trusted Internet Connections\n                          initiative and required all agencies to install sensors on their\n                          networks. 9\n\n                          As of October 2009, NCSD\xe2\x80\x99s Network Security Deployment\n                          Branch had deployed E1 to 19 agencies and E2 to 8 agencies.\n                          Currently, US-CERT is conducting a pilot exercise of E3 to\n                          evaluate its capabilities. According to the Comprehensive\n                          National Cybersecurity Initiative and US-CERT officials, E3 will\n                          contain real-time full packet inspection and an intrusion prevention\n                          feature. These additions should give US-CERT better response\n                          and monitoring capabilities.\n\n                          According to US-CERT officials, many agencies have not installed\n                          Einstein because they have not consolidated their gateways to the\n\n7\n  Packet inspection refers to performing some type of stateful protocol analysis, often combined with a\nfirewall capability that can block communications determined to be malicious.\n8\n  Intrusion prevention is the process of performing intrusion detection and attempting to stop possible\nincidents.\n9\n  OMB Memorandum M-08-27, Guidance for Trusted Internet Connection Compliance, September 2008.\nOMB Memorandum M-08-05, Implementation of Trusted Internet Connection, November 2007 defined the\npurpose of Trusted Internet Connections initiative as an approach to optimize individual agency network\nservices into a common solution for the federal government to reduce its external connections, including\ninternet points of presence.\n\n\n\n         U.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                            Challenges Remain \n\n\n                                                Page 19\n\x0c                          Internet. Further, some agencies have fragmented networks and\n                          must upgrade their architectures before Einstein can be deployed.\n\n                          Additionally, US-CERT does not have an automated correlation\n                          tool to identify trends and anomalies. With this vast amount of\n                          network traffic, US-CERT experienced a long lead time to analyze\n                          potential security threats or abnormalities. To reduce the lead\n                          time, NCSD purchased an automated correlation tool to analyze\n                          the vast amount of data from Einstein. 10 However, US-CERT is\n                          currently experiencing problems with reconfiguring the tool to\n                          collect data and understand the overall data flow. US-CERT\n                          management stated that it may be 6 months before the problems\n                          are corrected and the benefits of the system can be seen.\n\n                          According to the Homeland Security Act of 2002, DHS shall\n                          establish appropriate systems, mechanisms, and procedures to\n                          share homeland security information relevant to threats and\n                          vulnerabilities in national critical infrastructure and key resources\n                          with other federal departments and agencies, state and local\n                          governments, and the private sector in a timely manner. Further,\n                          The National Strategy to Secure Cyberspace recommends that\n                          DHS coordinate with other federal agencies to share specific\n                          warning information and advice about appropriate protective\n                          measures and countermeasures.\n\n                          An effective analysis and warning program is critical to secure the\n                          federal information technology infrastructure. For US-CERT to\n                          perform its responsibilities successfully, it must have sufficient\n                          state-of-the-art technical and analytical tools and technologies to\n                          identify, detect, analyze, and respond to cyber attacks.\n                          Additionally, cybersecurity information can provide the public and\n                          private sectors with valuable input for mitigating risks and threats,\n                          protecting against malicious attacks, and prioritizing security\n                          improvement efforts.\n\n\n\n\n10\n  The automated correlation tool is an event management tool that takes and correlates information from\nboth Sourcefire and SiLK. It will be used to write an event filter if two events occur \xe2\x80\x93 connection and\ndetection.\n\n\n\n         U.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                            Challenges Remain \n\n\n                                                 Page 20\n\x0c        Recommendation\n                We recommend that the Under Secretary of NPPD require the\n                Director of NCSD to:\n\n                Recommendation #7: Establish a capability to share real time\n                Einstein information with federal agencies partners to assist them\n                in the analysis and mitigation of incidents.\n\n        Management Comments and OIG Analysis\n                NPPD did not concur with recommendation 7 to the extent it\n                relates to E2. US-CERT bases the implementation of signatures in\n                E2 on current threats to the federal government. As a result of the\n                events triggered by the signatures, US-CERT is working to provide\n                federal agencies with serialized, near real-time analysis reports\n                derived from E2 data. NPPD officials stated that while some\n                departments and agencies with E1 netflow sensors installed have\n                access to netflow data, that access is not real-time or near\n                real-time. Additionally, NPPD maintained that no such access was\n                ever contemplated by the program. Moreover, for a variety of\n                reasons, ranging from volume of data, need for validation via\n                analysis/processing and classification issues, neither the current E2\n                deployment, nor the planned E3 solution contemplate sharing\n                unprocessed raw intrusion detection system and intrusion\n                prevention system data with departments and agencies in near\n                real-time.\n\n                We consider this recommendation unresolved and will require\n                additional discussion between our offices before disposition. We\n                maintain that due to the dynamic nature of cyber attacks, NPPD\n                should ensure that the least amount of time is used to analyze\n                potential threat and vulnerability data and share the information\n                with other federal agencies in a timely manner to facilitate prompt\n                actions that would minimize the impact of the risk. As a result,\n                NPPD needs to reposition itself from being reactive to proactive in\n                responding to potential risks.\n\n\n\n\nU.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                   Challenges Remain \n\n\n                                       Page 21\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                      The objective of our audit was to determine whether US-CERT is\n                      effective in its efforts to coordinate national cyber analyses and\n                      warnings against and response to attacks within the nation\xe2\x80\x99s\n                      critical infrastructure. Specifically, we determined whether\n                      US-CERT:\n\n                               Has implemented an effective national cyber analysis and\n                               warning program to protect against cyber attack.\n\n                               Is properly managing its collaborative efforts to coordinate\n                               and facilitate information sharing on cybersecurity issues\n                               among the public and private sectors.\n\n                               Is properly administering its tools to assess situational\n                               awareness of the cyberspace and identify network\n                               anomalies spanning the federal government.\n\n                      Our review focused on US-CERT\xe2\x80\x99s operations based on the\n                      requirements outlined in Homeland Security/ Presidential Directive\n                      7, National Infrastructure Protection Plan (2009), The National\n                      Response Framework (January 2008), The National Strategy to\n                      Secure Cyberspace (February 2003), The Comprehensive National\n                      Cybersecurity Initiative, and Office of Management and Budget\n                      Memorandums for the Government Performance and Results Act.\n                      We interviewed selected US-CERT and NCSD management\n                      officials, as well as personnel from the DHS Network Operations\n                      Center/Security Operations Center. Further, we interviewed\n                      personnel from departments of Agriculture, Education, Interior,\n                      Justice, State, and Transportation, Executive Office of the\n                      President, and United States Agency for International\n                      Development regarding US-CERT\xe2\x80\x99s communication methods,\n                      information sharing, tools, incident management, and\n                      cybersecurity concerns.\n\n                      We conducted our fieldwork at both program and management\n                      levels and visited the Federally Funded Research and Development\n                      Center at Carnegie Mellon University in Pittsburgh, Pennsylvania.\n                      We conducted this audit between October 2009 and March 2010\n                      according to generally accepted government auditing standards.\n                      Those standards require that we plan and perform a reasonable\n                      basis for our findings and conclusions based on our audit\n\n\n      U.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but\n                                         Challenges Remain\n\n                                            Page 22\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                      objectives. We believe that the evidence obtained provides a \n\n                      reasonable basis for our findings and conclusions based on our \n\n                      audit objectives. Major OIG contributors to the audit are identified \n\n                      in Appendix D.\n\n\n                      The principal OIG points of contact for the audit are\n\n                      Frank W. Deffer, Assistant Inspector General, Information \n\n                      Technology Audits, at (202) 254-4041, and Chiu-Tong Tsang, \n\n                      Director, Information Security Audit Division, at (202) 254-5472. \n\n\n\n\n\n      U.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                         Challenges Remain \n\n\n                                             Page 23\n\x0cAppendix B\nManagement Comments to the Draft Report\n________________________________________________________________________\n\n\n\n\n      U.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                         Challenges Remain \n\n\n                                             Page 24\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n      U.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                         Challenges Remain \n\n\n                                             Page 25\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n      U.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                         Challenges Remain \n\n\n                                             Page 26\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n      U.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                         Challenges Remain \n\n\n                                             Page 27\n\x0cAppendix C\nMajor OIG Contributors to this Report\n________________________________________________________________________\n\n\n\n                      Information Security Audit Division\n\n                      Edward Coleman, Director\n                      Chiu-Tong Tsang, Director\n                      Tarsha Cary, Audit Manager\n                      Pamela Chambliss-Williams, Senior IT Auditor\n                      Shannon Frenyea, Senior Program Analyst\n                      David Bunning, IT Specialist\n\n                      Swati Nijhawan, Referencer\n\n\n\n\n      U.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                         Challenges Remain \n\n\n                                             Page 28\n\x0cAppendix D\nReport Distribution\n________________________________________________________________________\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff\n                      Deputy Chief of Staff\n                      Executive Secretary\n                      Assistant Secretary, Legislative Affairs\n                      Assistant Secretary, Policy\n                      Assistant Secretary, Public Affairs\n                      General Counsel\n                      Office of Security\n                      Office of Privacy\n                      Assistant Secretary, Cyber Security and Communications\n                      Chief Information Officer (CIO)\n                      Deputy CIO\n                      Chief Information Security Officer\n                      Director, NCSD\n                      Director, US-CERT\n                      Information Systems Security Manager, NPPD\n                      Director, Departmental GAO/OIG Liaison Office\n                      Director, Compliance and Oversight Program\n                      Audit Liaison, NPPD\n                      Audit Liaison, DHS/CISO\n                      Audit Liaison, DHS/CIO\n                      Director, Information Security Audit Division (ISAD)\n                      Audit Manager, ISAD\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Appropriate Congressional Oversight and Appropriations\n                      Committees\n\n\n\n\n      U.S. Computer Emergency Readiness Team Makes Progress in Securing Federal Cyberspace, but \n\n                                         Challenges Remain \n\n\n                                             Page 29\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'